Tough Times and Risk Management

When the going gets tough, the tough start measuring cost, value, and risk. New economic pressures underscore the need for a risk-assessment approach to IT management overall, not just to security.

Written by Mark Gibbs

These are tough times. Over the last decade you have most likely become used to some kind of more-or-less stable basis for how your business operates. Sorry, but that's all about to change because the economy is in serious trouble.

Worse still, this trouble isn't going to last for just a few months. No, from what I read and what really smart people tell me it could take five to 10 years to pull ourselves out of this slough of despond.

If you don't believe me then carry on as you are and good luck to you. On the other hand if you are cautious and conservative you might like to consider what I’m about to outline.

I contend that despite decades of everyone and his analyst brother espousing strategic thinking in information technology as a better approach than reflexive tactical responses, the reality of real organizations is that most of you have been driven to what might be best described as a set of sub-optimal solutions (what in common parlance would describe as seriously sucky).

This started when you saw a fire that IT needed to address and you put it out. Then you saw another fire and another and another and so you went around putting out each one in turn. In no time at all you could point to having successfully dealt with scores of fires but there was a big problem: Each extinguished fire left its unique footprint that wasn’t connected to any other footprint.

Yes, indeed! You had created the silo problem: Lots of isolated pockets of technology. You now had (and probably still have) a crazy patchwork of systems and services that runs on the edge of chaos. Now every system change of any consequence has knock-on effects that multiply the cost of management and make stability a nice fantasy.

So, what is the solution? That's easy, it's risk management. There isn't one aspect, any single function or operation, of any organization that doesn't have profits and losses associated with its successful prosecution. In addition, there are costs associated with its potential failure to operate correctly.

Say you have a warehousing operation. It has costs associated with receiving, storing, retrieving and shipping whatever it is that it handles. You can't operate without a warehouse so it has a real, quantifiable value.

On the other hand there are risks associated with warehousing that lie in things such as not being able to receive incoming goods efficiently, taking too long to find goods that have been stored or not being able to find goods at all, goods getting damaged in storage . . . there are all sorts of risks and each has a quantifiable value.

And there's my central point—if you can’t quantify your risks then how can you possibly figure out where the real fires are that need to be put out?

What risk analysis gives you is a cost benefit model. For every workflow (workflow is really the only thing that matters because no step or process in an organization is isolated from the overall flow of business) there's a value of operation and a range of costs of failure (I say "range" because if something goes wrong then, at the least, workflow could pause and, at the worst, it can catastrophically stop).

Your job is to determine and evaluate every failure mode and associate costs and probabilities with each one. When you've done this exercise for every workflow in the organization you will then be in a position to rank the risks in order of value and likelihood.

Now you, oh wickedly smart IT guy, can look at your budget and weigh the value and risks of every operation and determine where your limited funds should be spent—in other words, how to get the biggest bang for your IT buck.

After such an analysis you may find that the expected upside from new development projects is less valuable than, say, improving storage reliability.

The problem is that this approach requires a willingness to allocate resources strategically; that in turn means you will knowingly neglect investing in the low-value areas of your network should disaster strike.

As I suggested earlier, this leads to some interesting political issues, because in most organizations, power, the driving force of politics, is vested in the groups and individuals perceived as being the most influential, a perception that usually has less to do with budget size or revenue potential than with who controls the flow of information.

Who really controls the flow of information? You do! As I’ve been telling audiences at a series of events on identity management I've been involved with, we are the masters of the universe because there is no such thing as business without IT. There's nothing happening without IT providing the motive power.

So, here's the thing: You, my friend, are going to meet some serious political resistance when you tell the manager of widget production that—as much as you would like to specify, identify, implement, configure and run his crucially needed restroom-cleaning management system—there isn't enough money to do that. When you tell him that upgrading the stock-management system—which, if it fails could bring the company to its financial knees -- is more strategic than his project, he probably won't be happy and he'll flex his political muscle.

How are you going to respond? The worst thing you can do is to present a logical, dispassionate analysis based on facts and your years of experience—typically when power politics are involved, it is isn't the cool, rational argument that wins but he who masters the sound bite.

So, you, O master of the universe, need to consolidate your position preemptively. If you fail to communicate your strategic vision when the heat is off, there's little chance for you to own the sound bite when political push comes to shove you.

You understand the IT needs of the organization, so you need to develop a clear, simply argued road map that allows you to allocate your budget according to strategic need rather than tactical want. Your job is to get the greatest bang for your IT budget buck. That means that you need to make decisions with the cooperation of the business units singly and collectively while the heat is off.

The beauty of building this kind of support before a political crisis is that you already will have gotten everyone to buy into the vision. So, when the tough decisions have to be made -- say, spending a shrinking budget on addressing the risk to the integrity of stock control before investing in marketing's petty-cash management system -- everyone already gets it and can nod sagely and agree that the strategic vision—your vision—is the way to go.

What you will have really done is to have evaluated the risk to IT's power and invested in defense before being attacked. Now that's what I call strategic risk management.



Used with permission of Network World. Copyright© 2008. All rights reserved.

Additional Resources: Original article. Additional columns by Mark Gibbs on Network World.


Comment on this article

You must be logged in to leave a reply. Login »